The report will no doubt rekindle debate over whether the U.S. government overstepped legal boundaries to collect electronic intelligence, and whether it has been unduly pressuring technology companies.

The decision to comply with the directive, reportedly made by Yahoo CEO Marissa Mayer, apparently roiled other company executives. The discovery of the software eventually triggered the resignation of CSO Alex Stamos in May 2015, who then became Facebook's CSO the next month, Reuters reports, citing former employees. It adds that insiders believe that either the FBI or the National Security Agency requested the email content interception.

According to the report, Yahoo's own security team independently discovered the software in May 2015, just weeks after it had been secretly installed. The team initially thought hackers had compromised the search giant's network. To make matters worse, the software contained a programming flaw that Stamos contended could have also allowed hackers to access the emails, Reuters says.

Yan Zhu, a senior security engineer who worked at Yahoo until November 2015, wrote on Twitter that the company "may be doomed but I'm still proud of my ex-coworkers on the security team for finding the backdoor quickly and eventually whistleblowing."

"It was a hard job," she wrote in a subsequent tweet. "I'm proud of both those who left over this and those who stayed so they could keep trying to protect 800 million Yahoo users."

imagine yourself in our situation. if you knew everything, would you leave bc of ethics or would you stay bc you could make things better?

Yahoo called the Reuters story "misleading," arguing that "the mail scanning described in the article does not exist in our systems," according to The Hill. And Adm. Michael Rogers, who heads the NSA, called the report "a little speculative" and said the NSA can't get a judge's approval to "blanket" search through "all email," according to the news report.

Surveillance Worries

If the report is accurate, the directive Yahoo received from the government breaks new ground, says the Electronic Frontier Foundation, a digital watchdog that has been critical of U.S. spy agency programs revealed by former NSA contractor Edward Snowden. In particular, it would mark the first public indication that a U.S.-based email provider was compelled to conduct real-time surveillance against its customers.

"It represents a new - and dangerous - expansion of the government's mass surveillance techniques," says EFF Senior Staff Attorney Mark Rumold via email. "This type of surveillance is unconstitutional, and it flies in the face of the Fourth Amendment's prohibition against unreasonable searches."

While the EFF believes the practice to be illegal, it's still unclear exactly what kind of order Yahoo received. Company officials could not be immediately reached for comment. Yahoo told other media outlets that it "complies with the laws of the United States," an oblique statement that was dimly received by some privacy watchers.

"Yahoo before: We fight any requests we deem improper or overbroad," writes Christopher Soghoian, principal technologist with the Speech, Privacy, and Technology Project at the American Civil Liberties Union, on Twitter. "Yahoo now: We follow the law. Ugh."

Other large technology companies, including Twitter, Apple, Facebook and Microsoft, denied scanning incoming content and said they had not received such a request from the government, The Wall Street Journal reports. Google says there's "no way" it would comply with such a request, while the others maintain that they would oppose any such request.

Just the Latest Bad News for Yahoo

The revelation couldn't come at a worse time for Yahoo.

Verizon announced in July it would acquire the company for $4.8 billion. The acquisition is still pending regulatory and legal reviews, which have been complicated in part by Yahoo's Sept. 22 disclosure of a breach in 2014 that compromised at least 500 million user accounts. Verizon did not learn of the breach until about two days before Yahoo publicly announced the incident, blaming state-sponsored attackers (see Massive Yahoo Data Breach Shatters Records).

The new revelation is also ironic because Yahoo fiercely resisted secret surveillance-related legal orders from the U.S. government in 2007 and 2008. The company maintained that supplying user information for the NSA surveillance program code-named PRISM - and its bulk data collection - violated the Constitution.

PRISM collected data from at least nine technology companies and was one of a number of bulk surveillance programs intended to more closely monitor possible terrorism threats. Intelligence agencies do not need a warrant to collect information about non-U.S. citizens under the Foreign Intelligence Surveillance Act and are supposed to minimize data collection of Americans.

Life After Snowden

But the Snowden leaks highlighted how various collection programs inadvertently scooped up information and metadata relating to U.S. citizens, a practice which should - in theory - have required a well-defined warrant approved by a court. Under the law at the time, technology companies were legally forced to comply with the orders, which came from the Foreign Intelligence Surveillance Court. Its decisions and proceedings are not public.

Given Yahoo's previous, related defeats, Mayer - who joined the company in 2012 - and other company executives complied with the email-scanning directive rather than trying to fight it, Reuters reports, adding that the decision upset many employees who thought the company could have successfully blocked the directive in court.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.